By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,642 Members | 1,696 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,642 IT Pros & Developers. It's quick & easy.

Getting form info into a mysql select statement

P: n/a
Hi,

I'd like to get user input from an html form into a mysql select
statement. Here's where I'm stumped:

$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%search-string%'",$db);

I need to get the user's input into the '%search-string%' section, but I
do not understand how to do this. I can hard-code a specific search
string and it will work, but I want the users to be able to dynamically
define the search-string. So, I created a basic html form and used the
post method to grab their input, but now I can't insert that input into
the mysql select statement. Any ideas? I think it should be easy, I just
don't know how to do it. I've tried this:

$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%$_POST["search"]%'",$db);

But it doesn't work. Below is the form in html and the php file:

<html>
<title>Search Test</title>
<head>
</head>
<body>
<form action="search-db.php" method="POST">
<p>Enter Your Search: <input type=text name=search></p>
<input type="submit">
</form>
</body>
</html>
-----------------------------------------------------------
<html>
<body>
<?php
$db = mysql_connect("localhost", "Anonymous");
mysql_select_db("computers",$db);
$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%surplus%'",$db);
echo "<table border=1>\n";
while ($myrow = mysql_fetch_array($result)) {
printf("<tr><td><b>%s</b></td></tr>\n", $myrow[notes]);
}
echo "</table>\n";
?>
</body>
</html>

Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
"hokieghal99" <ho********@hotmail.com> wrote in message
news:bn**********@solaris.cc.vt.edu...
Hi,

I'd like to get user input from an html form into a mysql select
statement. Here's where I'm stumped:

$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%search-string%'",$db);

I need to get the user's input into the '%search-string%' section, but I
do not understand how to do this. I can hard-code a specific search
string and it will work, but I want the users to be able to dynamically
define the search-string. So, I created a basic html form and used the
post method to grab their input, but now I can't insert that input into
the mysql select statement. Any ideas? I think it should be easy, I just
don't know how to do it. I've tried this:

$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%$_POST["search"]%'",$db);

But it doesn't work. Below is the form in html and the php file:

<html>
<title>Search Test</title>
<head>
</head>
<body>
<form action="search-db.php" method="POST">
<p>Enter Your Search: <input type=text name=search></p>
<input type="submit">
</form>
</body>
</html>
-----------------------------------------------------------
<html>
<body>
<?php
$db = mysql_connect("localhost", "Anonymous");
mysql_select_db("computers",$db);
$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%surplus%'",$db);
echo "<table border=1>\n";
while ($myrow = mysql_fetch_array($result)) {
printf("<tr><td><b>%s</b></td></tr>\n", $myrow[notes]);
}
echo "</table>\n";
?>
</body>
</html>

Try this:

$searchstring = $_POST['search'];
$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%$searchstring%'",$db);

JM
New River Industries, Inc. (Right around the corner from you!)


Jul 17 '05 #2

P: n/a

On 24-Oct-2003, hokieghal99 <ho********@hotmail.com> wrote:
I'd like to get user input from an html form into a mysql select
statement. Here's where I'm stumped:

$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%search-string%'",$db);

I need to get the user's input into the '%search-string%' section, but I
do not understand how to do this. I can hard-code a specific search
string and it will work, but I want the users to be able to dynamically
define the search-string. So, I created a basic html form and used the
post method to grab their input, but now I can't insert that input into
the mysql select statement. Any ideas? I think it should be easy, I just
don't know how to do it. I've tried this:

$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%$_POST["search"]%'",$db);

But it doesn't work. Below is the form in html and the php file:


remove the double quotes from around search.

$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%$_POST[search]%' ",$db);

Please note that this is VERY UNSAFE and leaves you open to a security
problem called an SQL Injection attack. At the very least you should code:
$search_string = addslashes($_POST['search']);
$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%$search_string%' ",$db);

--
Tom Thackrey
www.creative-light.com
tom (at) creative (dash) light (dot) com
do NOT send email to ja*********@willglen.net (it's reserved for spammers)
Jul 17 '05 #3

P: n/a
Jim Moseby wrote:
Try this:

$searchstring = $_POST['search'];
$result = mysql_query("SELECT * FROM dept WHERE notes LIKE
'%$searchstring%'",$db);

JM
New River Industries, Inc. (Right around the corner from you!)


Thanks, that works great! It's a small world, isn't it?

Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.